DSA-4208 procps - security updatehttps://www.debian.org/security/2018/dsa-4208
<p>The Qualys Research Labs discovered multiple vulnerabilities in procps,
a set of command line and full screen utilities for browsing procfs. The
Common Vulnerabilities and Exposures project identifies the following
problems:</p>
2018-05-22DSA-4207 packagekit - security updatehttps://www.debian.org/security/2018/dsa-4207
<p>Matthias Gerstner discovered that PackageKit, a DBus abstraction layer
for simple software management tasks, contains an authentication bypass
flaw allowing users without privileges to install local packages.</p>
2018-05-22DSA-4206 gitlab - security updatehttps://www.debian.org/security/2018/dsa-4206
<p>Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code:</p>
2018-05-21DSA-4205 - Advance notification for upcoming end-of-life for Debian 8https://www.debian.org/security/2018/dsa-4205
<p>This is an advance notice that regular security support for Debian
GNU/Linux 8 (code name "jessie") will be terminated on the 17th of
June.</p>
2018-05-18DSA-4204 imagemagick - security updatehttps://www.debian.org/security/2018/dsa-4204
<p>This update fixes several vulnerabilities in imagemagick, a graphical
software suite. Various memory handling problems or issues about
incomplete input sanitizing would result in denial of service or
memory disclosure.</p>
2018-05-18DSA-4203 vlc - security updatehttps://www.debian.org/security/2018/dsa-4203
<p>Hans Jerry Illikainen discovered a type conversion vulnerability in the
MP4 demuxer of the VLC media player, which could result in the execution
of arbitrary code if a malformed media file is played.</p>
2018-05-17DSA-4202 curl - security updatehttps://www.debian.org/security/2018/dsa-4202
<p>OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer
library, could be tricked into reading data beyond the end of a heap
based buffer when parsing invalid headers in an RTSP response.</p>
2018-05-16DSA-4201 xen - security updatehttps://www.debian.org/security/2018/dsa-4201
<p>Multiple vulnerabilities have been discovered in the Xen hypervisor:</p>
2018-05-15DSA-4200 kwallet-pam - security updatehttps://www.debian.org/security/2018/dsa-4200
<p>Fabian Vogt discovered that incorrect permission handling in the PAM
module of the KDE Wallet could allow an unprivileged local user to gain
ownership of arbitrary files.</p>
2018-05-14DSA-4199 firefox-esr - security updatehttps://www.debian.org/security/2018/dsa-4199
<p>Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors
may lead to the execution of arbitrary code or denial of service.</p>
2018-05-10DSA-4198 prosody - security updatehttps://www.debian.org/security/2018/dsa-4198
<p>Albert Dengg discovered that incorrect parsing of ?stream:error? messages
in the Prosody Jabber/XMPP server may result in denial of service.</p>
2018-05-09DSA-4197 wavpack - security updatehttps://www.debian.org/security/2018/dsa-4197
<p>Multiple vulnerabilities were discovered in the wavpack audio codec which
could result in denial of service or the execution of arbitrary code if
malformed media files are processed.</p>
2018-05-09DSA-4196 linux - security updatehttps://www.debian.org/security/2018/dsa-4196
<p>Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial of service.</p>
2018-05-08DSA-4195 wget - security updatehttps://www.debian.org/security/2018/dsa-4195
<p>Harry Sintonen discovered that wget, a network utility to retrieve files
from the web, does not properly handle '\r\n' from continuation lines
while parsing the Set-Cookie HTTP header. A malicious web server could
use this flaw to inject arbitrary cookies to the cookie jar file, adding
new or replacing existing cookie values.</p>
2018-05-08DSA-4194 lucene-solr - security updatehttps://www.debian.org/security/2018/dsa-4194
<p>An XML external entity expansion vulnerability was discovered in the
DataImportHandler of Solr, a search server based on Lucene, which could
result in information disclosure.</p>
2018-05-06DSA-4193 wordpress - security updatehttps://www.debian.org/security/2018/dsa-4193
<p>Several vulnerabilities were discovered in wordpress, a web blogging
tool, which could allow remote attackers to compromise a site via
cross-site scripting, bypass restrictions or unsafe redirects. More
information can be found in the upstream advisory at
<a href="https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/">https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/</a></p>
2018-05-05DSA-4192 libmad - security updatehttps://www.debian.org/security/2018/dsa-4192
<p>Several vulnerabilities were discovered in MAD, an MPEG audio decoder
library, which could result in denial of service if a malformed audio
file is processed.</p>
2018-05-04DSA-4191 redmine - security updatehttps://www.debian.org/security/2018/dsa-4191
<p>Multiple vulnerabilities were discovered in Redmine, a project
management web application. They could lead to remote code execution,
information disclosure or cross-site scripting attacks.</p>
2018-05-03DSA-4190 jackson-databind - security updatehttps://www.debian.org/security/2018/dsa-4190
<p>It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, improperly validated user input prior to
deserializing because of an incomplete fix for
<a href="https://security-tracker.debian.org/tracker/CVE-2017-7525">CVE-2017-7525</a>.</p>
2018-05-03DSA-4189 quassel - security updatehttps://www.debian.org/security/2018/dsa-4189
<p>Two vulnerabilities were found in the Quassel IRC client, which could
result in the execution of arbitrary code or denial of service.</p>
2018-05-02DSA-4188 linux - security updatehttps://www.debian.org/security/2018/dsa-4188
<p>Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.</p>
2018-05-01DSA-4187 linux - security updatehttps://www.debian.org/security/2018/dsa-4187
<p>Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.</p>
2018-05-01DSA-4186 gunicorn - security updatehttps://www.debian.org/security/2018/dsa-4186
<p>It was discovered that gunicorn, an event-based HTTP/WSGI server was
susceptible to HTTP Response splitting.</p>
2018-04-28DSA-4185 openjdk-8 - security updatehttps://www.debian.org/security/2018/dsa-4185
<p>Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code or bypass of JAR
signature validation.</p>
2018-04-28DSA-4184 sdl-image1.2 - security updatehttps://www.debian.org/security/2018/dsa-4184
<p>Multiple vulnerabilities have been discovered in the image loading
library for Simple DirectMedia Layer 1.2, which could result in denial
of service or the execution of arbitrary code if malformed image files
are opened.</p>
2018-04-28DSA-4183 tor - security updatehttps://www.debian.org/security/2018/dsa-4183
<p>It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contains a protocol-list handling bug
that could be used to remotely crash directory authorities with a
null-pointer exception (TROVE-2018-001).</p>
2018-04-28DSA-4182 chromium-browser - security updatehttps://www.debian.org/security/2018/dsa-4182
<p>Several vulnerabilities have been discovered in the chromium web browser.</p>
2018-04-28DSA-4181 roundcube - security updatehttps://www.debian.org/security/2018/dsa-4181
<p>Andrea Basile discovered that the <q>archive</q> plugin in roundcube, a
skinnable AJAX based webmail solution for IMAP servers, does not
properly sanitize a user-controlled parameter, allowing a remote
attacker to inject arbitrary IMAP commands and perform malicious
actions.</p>
2018-04-28DSA-4180 drupal7 - security updatehttps://www.debian.org/security/2018/dsa-4180
<p>A remote code execution vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
<a href="https://www.drupal.org/sa-core-2018-004">https://www.drupal.org/sa-core-2018-004</a></p>
2018-04-25DSA-4179 linux-tools - security updatehttps://www.debian.org/security/2018/dsa-4179
<p>This update doesn't fix a vulnerability in linux-tools, but provides
support for building Linux kernel modules with the <q>retpoline</q>
mitigation for <a href="https://security-tracker.debian.org/tracker/CVE-2017-5715">CVE-2017-5715</a> (Spectre variant 2).</p>
2018-04-24